Perimeter Defense - Email Security > [T5]: Validate, Mitigate and Remediate

 

A good incident response plan should achieve three core objectives: stop the damage, fix it and prevent it from happening again. Let’s break this down into three phases; validation, mitigation, and remediation.

 

  1. Validate -confirm and analyze the attack:
    • Who detected the attack and how?
    • Does the mail contain attachments? Are they malicious (i.e., have a payload)?
    • Does the mail contain links? Are they malicious (i.e., phishing site, site hosting malware, or exploit kit EK)?
    • Identify impacted users who received the message and opened attachments or links – using the help of DNS, EDR, and web proxy logs. Pay attention to auto-forwarding rules.
    • Identify impacted devices -which devices did users use to open the attachment or the link?
    • Search incoming mail gateway to find out if some messages were stopped at the gateway level and did not reach the mailbox server. 
    • Extract the following information from the malicious email:
      • Sender server IP address.
      • Sender email address.
      • Sender domain name.
      • Email subject.
      • Strings from email body -unique strings specific to the received mail.
      • Attachments name, size, and hash.
      • Embedded URLs.
         
  2. Mitigate -prevent further damage:
    • Sinkhole the malicious domain on the DNS server (e.g., the domain used to phish users, download malware, and C2 server). Any hit to the sinkhole server represents a possible infection.
    • Block malicious domains on the web proxy.
    • Block malware execution on endpoints using the Endpoint Detection and Response -EDR- solution.
    • Lock down compromised accounts till you assess the situation. Coordinate with account owners before doing so.
    • Isolate compromised devices. Coordinate with currently logged-in users first.
       
  3. Remediate -remove present damage and prevent it from happening again.
    • Pull/remove the malicious email from the mailbox server. Run multiple searches using email subject, sender email address, and sender domain. Keep copies for incident tracking purposes.
    • For impacted users, reset passwords and perform device forensics.
    • Report the malicious URL to your web proxy and browsers.
    • Submit the malware sample for your anti-malware and EDR solution to update their signatures database.
    • Contact hosting company to take down the malicious site and hosting account.
    • Create a filter on the incoming mail gateway to quarantine future messages with the exact/partial email subject, sender email address, sender domain, sender server IP address, and unique strings from the mail body.
    • Determine and address the root cause of the attack (i.e., missing filter, low-quality feeds, lack of awareness, use of unmanaged device…etc.)

 

Figure - zoom in

 

End users are ultimate targets for email attacks, so, it’s very important to provide users with simple means to interact with the SOC team so that they can report suspicious messages. This is typically implemented in the form of a reporting button that recipients can use to flag suspicious messages. 

 

Make sure SOC is easily accessible to end-users. The easier for users to reach the SOC team, the better the detection and response would be. Most SOC teams focus on collecting logs from different systems, but few recognize the importance of collecting users’ feedback and making SOC easily accessible for end-users.

 

How many alerts has your SOC team received from end-users in the past month? There are two things SOC teams can use as a key performance indicator for user < > security communications:

  1. The number of monthly user-reported alerts.
  2. How many of the reported alerts were true positive (valid attack)?


The first is an indicator of how accessible is the security team for end-users, and the second represents the quality of reported alerts. Suppose 100 alerts were received, and only 5 of them were actual attacks. That means the security team should conduct more awareness sessions and educate users on how to differentiate between legit and suspicious messages.


At the end of this section, here is a real phishing playbook for SOC teams along with the response procedure (CESS-Phishing Response Procedure.xlsx).


Helpful Resources:

← Prev Dashboard Next →